01-30-2008 10:08 PM - edited 02-21-2020 03:31 PM
Hi All,
We have successfully configure site to site IPSec. If interesting traffic hits the outgoing interface, the tunnel comes up on both ends, you can also see packets been encrypted.
I'm having routing problems local, I don't have route that points local remote traffic via the IPSec VPN.
remote peer: 89.3.2.1
remote local: 192.168.1.0/24
local peer: 50.3.3.1
local private: 10.2.5.0/24
tried the following locally:
ip route 192.168.1.0 255.255.255.0 89.3.2.1
'didn't work'
ip route 192.168.1.0 255.255.255.0 50.3.3.1
'didn't work'
Please help!!!
01-31-2008 12:56 AM
Hi
You don't need a route for this traffic. The crypto map access-list tells the router/firewall which traffic needs to be encrypted. If a packet matches the crypto access-list it is encrypted and automatically sent down the tunnel.
Jon
01-31-2008 05:45 AM
Are you using crypto maps? What does your interesting traffic access look like?
01-31-2008 06:07 AM
I'm using crypto maps. My local access list is
access-list 144 permit ip 10.2.5.0 0.0.0.255 192.168.1.0 0.0.0.255
If I run "show access-list 144" I can see interesting traffic. Also, if i run "show crypto engine connection active" I can see traffic been encrypted. But, I don't have {192.168.1.0/24} route in the routing table. And traffic is not going through the tunnel.
01-31-2008 10:55 AM
do this:
1- under your crypto map, you need this:
reverse-route
2- do sh ip route, you will see a static route
in the routing table,
3- redistribute that static route into your
routing protocol so that downstream router(s)
can see it,
4- test again
CCIE Security
02-01-2008 12:06 AM
Now, I've the route into my routing table and I still can't reach the remote end.
If i run a traceroute from the local host, it stops at my internal router interface. Where else should I check?
i. My VPN is up
ii. Route to remote host is available
02-01-2008 04:41 AM
When you did the trace route, what did you use for the source interface? This source interface has to have a match in the access list.
02-03-2008 10:23 PM
I'm running a trace route from 10.2.5.2 (a local node).
If I run a ping test to 192.168.1.6 (active remote node), the acl sees the interesting traffic, brings up the VPN and Encaps destn traffic. But i still don't reach the remote node.
02-04-2008 08:40 AM
You traffic has already left the device if you see encrypts. It seems either the replies are not coming back from the other end, or the packet drops after it leaves the local device.
Do you see encrypts/decrypts on the other end of the tunnel ?
Source a ping from the LAN intf of VPN device itself, and ping the remote ends LAN interface (provided it is part of crypto ACL).
HTH,
-Kanishka
02-10-2008 09:25 PM
SOLVED!!! :-)
After writing some emails to my ISP, manage to see remote encry traffic.
Thanks everyone.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: